Eavesdropping is intercepting the data traversing the Internet at an intermediary point and reading the contents. Eavesdropping is becoming possible on the Internet because the data from one end has to travel to the other through a number of intermediary nodes called routers, which are neither under the control of the sender nor under that of the recipient at the destination. Eavesdroppers use a sniffer to intercept the data arriving at a router en route the destination. A sniffer is a program and/or device that monitors data passing through a network. Sniffers are easily available in the market as tools providing legitimate network management functions. Unfortunately, hackers misuse them for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security, as they are virtually impossible to detect.
Cryptography is a wise technique widely employed in protecting Internet communications and e-commerce transactions to defeat eavesdropping. Basically it involves two steps—data encryption on the sender side and decryption on the recipient side. Cryptography algorithms are classified into Symmetric and Asymmetric, or Private-key and Public-key. Private-key algorithms use the same key for both encryption and decryption, and are not suitable for today's web-based systems involving many strange participants everyday. It is hard to share secret keys, as they need a secure channel for distribution.
The shortcomings of the private-key algorithms are overcome by the public-key algorithms, which use different keys, called public and private, for encryption and decryption. The two keys are mathematically related to each other, and not easily deducible one from the other.
One of the best known and most widely used public key algorithms is the RSA algorithm named for its creators Rivest, Shamir, and Adleman. The original RSA algorithm is described in U.S. Pat. No. 4,405,829, entitled “Cryptographic Communications System and Method” issued on Sep. 20, 1983 in the names of Rivest, Shamir, and Adleman. This patent is incorporated by reference as background information.
The RSA algorithm for encryption and decryption is given as follows:    RSA Encryption: C=M.sup.e mod n, where M is original message and C is ciphertext.    RSA Decryption: M=C.sup.d mod n, where p and q are two prime numbers, and n=p.q, and e is a number relatively prime to (p−1).(q−1).
The value (p−1).(q−1) is called Euler Totient Function of n and represented by phi. mod operator represents the remainder left when the left hand operand is divided by the right hand operand.
d is called multiplicative inverse of e, which satisfies the relation e.d=k.phi+1 for any integer k. For large e values, d value can be computed using Extended Euclid's Algorithm. p, q and phi are discarded once d is computed. The pair (e,n), called public key, is revealed to the public. d is called private key and maintained in strict confidence. To compute d from (e,n), one has to perform nearly square-root(n)modular operations, which would take several years for large keys.
Data encrypted by one key can be decrypted only by the other. Encryption and decryption involve exponential modular arithmetic operations on a number that is a function of the original message.
Public-key Cryptography has emerged into a superior technology over the Private-key Cryptography because of its suitability to e-commerce with its capabilities, such as data integrity and non-repudiation. Another public key algorithm widely known is ECC (Elliptic Curve Cryptography).
Unfortunately, even public key cryptography has its own shortcomings. A weakness of the present-day public key algorithms is that they do not survive the private-key compromise attacks following an internal breach of trust. In reality, this is what is happening in today's competitive business environment. Security administrators of well established e-commerce companies resorting to accept the lucrative bribes offered by the competitors make void the security potential of the present day public-key cryptography algorithms, such as RSA and ECC. Once a breach takes place in business, and subsequently the private key of the business is revealed, the public-key algorithms become no more useful, because the degree of security that RSA and ECC offer to communications after private key compromise is zero. The revealed key may be used by the competitor, or the attacker to decipher the intercepted data at an intermediary router. If a Certifying Authority's private key itself is compromised, the event should be considered catastrophic. Immediately, the CA must cease issuing new certificates under the key and the old certificates must be recalled and reissued using a new key.
Another weakness of the public key algorithms is they secure only the public-to-private-side communications and fail to protect the private-to-public-side communications. To illustrate, suppose Bob, Chris and David are sharing Alice's public key. When Bob sends a message to Alice, Chris and David can not eavesdrop on their communication, as they do not know Alice's private key, which is necessary to decrypt the data. But the converse is not true, that is, when Alice sends a message to Bob, Chris and David can eavesdrop on their communication and successfully read the message. This is because Chris and David share the same public key of Alice with Bob, which is necessary for decryption this time.
The mathematical approach of breaking RSA ciphertext is to factor the key modulus, a very large number, into two primes, which requires several years of computation, some times even millions of years. For large keys, this is too difficult a task for an attacker and is quite impractical unless he has several thousands of machines to be engaged in parallel computing. However, there is another approach to breaking RSA, ECC or any other such ciphertext—bribing the security administrators or the private key guarding employees to reveal the key. This weakness of the public key algorithms calls for a better concept and approach towards performing the cryptographic operations on Internet communications.